Compromising Domain Admin in Internal Pentest

Recently we have been on Internal Network Pentest with end goal to demonstrate the compromising Domain Admin account or be one of them.

First tool of choice is Responder with Analyze mode. This mode allows you to see NBT-NS, BROWSER, LLMNR, DNS requests on the network without poisoning any responses, in simple words perform passive reconnaissance for you.
root@kali: python -I eth1 -A
From above screen we can say, the network looks vulnerable to LLMNR and NBT-NS poisoning. Firing up the Responder with respective flags we captured the hashes of users over the network.
root@kali: python -I eth1 -Pbv
Yay.. we got some cleartext credentials of the users using WPAD flag (-w). But most of them were normal internal users, continued running Responder on the network we captured hash of Servicedesk account.
Then we cracked the hash using Hashcat with aid of dictionary file. Now its time to abuse the cracked Servicedesk credentials to dig more in the infrastructure. So using the trick explained by @sixdb in article we used /netonly flag with runas.exe. This allowed us to launch cmd.exe running in context of domain user (Servicedesk) from non-domain joined system. 
Once connected you can run various tools, like we used Powersploit to dump more information about Domain being authenticated user. We enumerated information about Domain Controllers and Domain Admins in the infrastructure.
Now we need to find the path to compromise the Domain Admin account, for this we used BloodHound. It aids us to reveal the hidden and often unintended relationships within an Active Directory environment in turn expediting the escalation process. 
 Bloodhound generates 3 csv for visualization.
Using visualization generated using Bloodhound we found "Shortest Path to Domain Admins". 
The generated graph shows the no. of hops required to reach machine where Domain Admin is logged-in. Hence using cmd.exe access we can run Invoke-Mimikatz.ps1 to dump credentials from first hop server. But now days all AV engines flag these scripts.
So in order bypass AV detection we used Lazykatz. Its automation developed to extract credentials from remote targets protected with AV and/or application whitelisting software, developed on top of @subtee work

Running the Lazykatz using Servicedesk account against first hop server, we got clear text credentials of one of the member of Domain Admin group. Using those credentials we added our user to Domain Admin group.

Finally, we are member of Domain Admin group. Happy Hunting.


  1. To be honest, I don't have such advance knowledge in computer sciences. But I'm sure some of my computer friends could benefit from this information.


Post a Comment

Popular Posts